By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

he ranks the database giant's security proficiency well behind that of Microsoft in a new whitepaper.

Litchfield, managing director at UK-based Next Generation Security (NGS) Software, examined differences between the security of Microsoft's SQL Server and Oracle's relational database management system (RDBMS); based on flaws reported by external security researchers and ultimately fixed by the vendor in question in the last six years. In that period, he said, Microsoft patched 59 flaws in its SQL Server 7, 2000 and 2005 databases while Oracle patched 233 security holes in its Oracle 8, 9 and 10g databases.

"It is immediately apparent … that Microsoft SQL Server has a stronger security posture than the Oracle RDBMS," he wrote. In addition to the flaws outlined in the report, he said NGS is now waiting for Oracle to fix 49 security flaws it has reported.

The flaw count for SQL Server has been very low since 2002, Litchfield said, because Microsoft uses a security development lifecycle (SDL) where, as he put it, "knowledge learnt after finding and fixing screw ups is not lost. Instead, it is ploughed back into the cycle." From what he can tell, Oracle doesn't have a SDL of its own, since it is "making the same basic mistakes" and some of its fixes "indicate that they don't understand the problems they're trying to fix."

He said the conclusion is clear: "If security robustness and a high degree of assurance are concerns when looking to purchase database server software, given these results one should not be looking at Oracle as a serious contender."

For Oracle, criticism over its patching process is nothing new. The company's Critical Patch Updates (CPU) are usually followed by third-party warnings about flaws that either weren't addressed or weren't fixed properly. Litchfield has often led the charge.

In an interview with SearchSecurity.com in June, John Heimann, Oracle's director of security program management, and Darius Wiles, senior manager of security alerts, acknowledged that its patching process can be difficult to follow. They acknowledged that a vast array of platforms and mountains of source code can make for some patching mistakes and slow fixes.

In October, Oracle unveiled a new, easier-to-digest bulletin, providing summaries to vulnerabilities addressed in the CPU, adopting a vulnerability scoring system and identifying critical flaws that may be remotely exploitable without requiring authentication to a targeted system. The response from DBAs has been mixed.

Microsoft has also taken its share of criticism in recent years. But the software giant has moved aggressively to bake security into its products, most notably in Windows Vista.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy